简体繁体 English

我可以使用JS加密而不是SSL来进行信用卡付款吗？

[英]Can I use JS encryption instead of SSL for credit card payments?

原文 2009-11-17 16:52:22 7 14 javascript/ security/ encryption/ ssl/ payment

I have an HTML form where people can make payments on my sites. 我有一个HTML表单，人们可以在我的网站上进行付款。 Instead of using SSL, I'm wondering whether I could use a JS lib that would encrypt the credit card information and send it to the server in clear text but encrypted, than the server would decrypt it. 而不是使用SSL，我想知道我是否可以使用JS lib来加密信用卡信息并以明文但加密的方式将其发送到服务器，而不是服务器将其解密。 I found several libs that do that, they basically ask for a key pair from the server, encrypt it and send it to the server encrypted. 我发现有几个lib这样做，他们基本上要求服务器上的密钥对，加密它并将其加密到服务器。 Those are the ones I found: 那些是我发现的：

http://www.jcryption.org/ http://www.jcryption.org/

http://www.hanewin.net/encrypt/ http://www.hanewin.net/encrypt/

http://www.vincentcheung.ca/jsencryption/ http://www.vincentcheung.ca/jsencryption/

Is that secure enough for credit card payments? 这对于信用卡付款是否足够安全？ I know the session is not encrypted but the only thing that really matters is the credit card information, right? 我知道会话没有加密，但唯一真正重要的是信用卡信息，对吗？

14 个解决方案

This is not secure in any way, shape, or form. 这在任何方面，形状或形式都不安全。

A man-in-the-middle can replace the public key with his own. 一个中间人可以用他自己的公钥代替公钥。 Any kludge you devise with "referer" or anything else besides SSL is not going to restore security to this atrocious scheme. 您使用“referer”或除SSL之外的任何其他设置的任何kludge都不会恢复这种恶劣方案的安全性。

When you can get a marginal certificate for free, or a decent certificate for next to nothing, why would you screw around with people's credit card number? 如果您可以获得免费的边际证书，或者几乎没有任何合适的证书，为什么要用人们的信用卡号码搞砸？ By failing to secure a credit card number in transit, you are violating PCI, and probably exposing yourself to a liability many times greater than the cost of obtaining and using a certificate. 由于未能确保传输中的信用卡号码，您违反了PCI，并且可能使您承担的责任比获取和使用证书的成本高出许多倍。 Or maybe you are just figuring that's the cardholders' problem? 或者你可能只是想到了持卡人的问题？

You cannot bootstrap a secure channel entirely in-band. 您无法完全在带内引导安全通道。 You need some secure medium for exchange of key material. 您需要一些安全的媒介来交换密钥材料。 That might be the distribution of a Certifying Authority's public key. 这可能是证书颁发机构公钥的分发。 Or perhaps meeting face-to-face to share a secret key. 或者也许会面对面分享一个秘密密钥。

Regardless of the scheme, you cannot build security out of insecurity. 无论方案如何，您都无法通过不安全来建立安全性。

No. Do not use javascript to secure credit card payments. 不。不要使用JavaScript来保护信用卡付款。

If you did, it would be trivial for someone to copy all your source code, and then poison the DNS cache or even setup phishing sites and send your users' payments into their bank account. 如果您这样做，那么复制所有源代码，然后中毒DNS缓存甚至设置网络钓鱼站点并将用户的付款发送到他们的银行帐户将是微不足道的。

Here's a scenario. 这是一个场景。

You complete your website, example.com, and put everything online. 您完成了您的网站example.com，并将所有内容放到网上。 Site launches, yay. 网站发布，是的。 You've used javascript to secure your credit card payments system. 您使用了javascript来保护您的信用卡付款系统。
Someone named Nefarious Hacker notices that you're not using a tried-and true method of securing vital personal information, so he downloads all of your HTML, JS, and CSS. 名为Nefarious Hacker的人注意到您没有使用经过验证的真实方法来保护重要的个人信息，因此他会下载所有HTML，JS和CSS。
N. Hacker strips out all the js based encryption, leaving only the form. N. Hacker剥离所有基于js的加密，只留下表格。 He then hosts it at evil-example.com. 然后他在evil-example.com上主持它。 It looks exactly like your site, and behaves exactly like your site. 它看起来与您的网站完全一样，其行为与您的网站完全相同。 Except that it submits unencrypted credit card data to N Hacker's database. 除了它将未加密的信用卡数据提交给N Hacker的数据库。
N. Hacker sends out some phishing emails that point users to evil-example.com. N. Hacker发送一些钓鱼邮件，将用户指向evil-example.com。 A few users, believing the evil site to be valid, submit payments. 一些用户认为邪恶网站有效，提交付款。 Their credit card is now stolen. 他们的信用卡现在被盗了。
N Hacker is able to successfully poison a DNS cache, so some users going to example.com instead are served up evil-example.com. N Hacker能够成功中毒DNS缓存，因此一些前往example.com的用户可以使用evil-example.com。 They have no reason to believe the site is fake (the url is what they expect), so they submit payments. 他们没有理由相信该网站是假的（网址是他们所期望的），所以他们提交付款。 Their cards are now stolen. 他们的卡现在被偷了。

If you had an SSL cert, the users would know IMMEDIATELY that the evil-example.com was not trusted, or that evil-example.com pretending to be example.com was fake. 如果你有SSL证书，用户会立即知道evil-example.com不受信任，或者冒充example.com的evil-example.com是假的。

(I'll make it big so it's obvious) （我会把它做大，所以很明显）

Bottom line - javascript is not secure enough to do CC payments* .* **底线 - javascript不够安全，无法进行CC支付。**

You could do this, but don't. 你可以做到这一点，但不要这样做。 It requires javascript on the client side and while you get the encryption part you probably are going to lose the other portion of SSL which is authentication. 它需要客户端的javascript，当你得到加密部分时，你可能会失去SSL的其他部分，即身份验证。 Using your method a man in the middle attack is possible while with SSL certificates it is much less likely. 使用您的方法可以使用中间攻击的人，而使用SSL证书则不太可能。

You could use JS encryption and chose to ignore the fact that it wasn't secure. 您可以使用JS加密并选择忽略它不安全的事实。

The problem you'd have then is that people wouldn't want to enter their credit card details on a page without an SSL connection. 您遇到的问题是人们不希望在没有SSL连接的情况下在页面上输入信用卡详细信息。 It wouldn't just be techies; 它不仅仅是技术人员; a lot non-technical users know to look for the padlock before entering their Credit Card number, even if they have no idea what TLS or SSL are. 很多非技术用户在输入信用卡号之前就知道要查找挂锁，即使他们不知道TLS或SSL是什么。

Not at all. 一点也不。 Remember that SSL also allows the client (the browser) to verify the authenticity of the remote party (your server). 请记住，SSL还允许客户端（浏览器）验证远程方（您的服务器）的真实性。 You have to make sure that the server you get the keys from is actually the one you want to get the keys from and not an entirely different machine. 你必须确保服务器，你拿到钥匙的其实是你想从键一个，而不是一个完全不同的机器。 (cf. Man in the middle ) （参见中间人）

潜在的法律上的麻烦，你可以从这个获得的方式不值得避免SSL的成本。

What if the user disables JavaScript in their browser? 如果用户在浏览器中禁用JavaScript，该怎么办？ I would say, play it safe and stick with SSL. 我会说，玩它安全并坚持使用SSL。

@stimms explains well why this is dangerous - SSL does both encryption and ensures that the encrypted data is going to the right place as well. @stimms解释了为什么这是危险的 - SSL同时进行加密并确保加密数据也能到达正确的位置。 On top of that, browsers treat SSL and non-SSL caching differently - if you're not serving these pages over SSL, the user's browser may store vital information in the clear on the user's computer. 最重要的是，浏览器对SSL和非SSL缓存的处理方式不同 - 如果您不通过SSL提供这些页面，则用户的浏览器可能会在用户的计算机上以明文形式存储重要信息。

Even if perfectly safe, this wouldn't be a good idea either. 即使非常安全，这也不是一个好主意。 Many users have had the rule "look for the lock icon for e-commerce" drilled into their brains by IT staff, tech-savvy relatives, etc. Spring for the $25 for a SSL cert. 许多用户已经有了“寻找电子商务的锁定图标”的规则，这些规则由IT人员，技术娴熟的亲戚等钻进他们的大脑。对于SSL证书，只需25美元。

edit: Another potential issue - most credit card companies require transmission over SSL. 编辑：另一个潜在的问题 - 大多数信用卡公司需要通过SSL传输。 Doing it with just JS may well violate your merchant agreement - fines and termination might ensue. 仅使用JS进行操作可能会违反您的商家协议 - 可能会导致罚款和终止。

Ggolo, seriously dude, don't do this. Ggolo，老兄，不要这样做。 Any site passing credit card details is going to get attention from hackers, who WILL find some mistake or exploit in your hand-rolled approach if they try hard enough. 任何通过信用卡详细信息的网站都会引起黑客的注意，如果他们努力尝试，他们会发现一些错误或利用你的手工方法。 Just stump up for the SSL cert. 只是为了证明SSL证书。

While technically the data encrypted in JS would be similar to encrypting it with a real cert, I think you are missing a key element here; 虽然从技术上讲，用JS加密的数据类似于用真实证书加密它，但我认为你错过了一个关键元素; TRUST. 信任。 When using a real SSL cert from a trusted provider, you are making a circle of trust: 使用来自可信提供商的真实SSL证书时，您正在建立一个信任圈：

Customer trusts Microsoft 客户信任微软
Microsoft trusts GoDaddy/Verisign/whoever (by virtue of Windows or any other web browser shipping with the root certificates) Microsoft信任GoDaddy / Verisign / whoever（凭借Windows或任何其他带有根证书的Web浏览器）
GoDaddy/Verisign/whoever trusts You (by virtue of you having bought a cert from them, and they verify your identity) GoDaddy / Verisign /无论谁信任你（凭借你从他们那里购买了证书，他们验证了你的身份）
Green lights and locks appear in web browser, and user can inspect the certs themselves if they want, Which in turn means Customer trusts You. 绿灯和锁定出现在Web浏览器中，用户可以根据需要自行检查证书，这反过来又意味着客户信任您。

When you just have an unsecured web site, with the words "your data is secure, just ignore what your web browser is telling you", then the customer does not trust you. 当您拥有一个不安全的网站时，“您的数据是安全的，只需忽略您的网络浏览器告诉您的内容”，那么客户就不会信任您。

(and if they do, then forward me their info, I have a bridge to sell them...) （如果他们这样做，那么转发我的信息，我有一座桥梁可以卖给他们......）

Also, for what it's worth, there are standards from the major CC companies on how to handle and store credit card info. 此外，对于它的价值，主要的CC公司有关于如何处理和存储信用卡信息的标准。 Google "PCI DSS" for details, or: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml Google“PCI DSS”了解详情，或者： https ： //www.pcisecuritystandards.org/security_standards/pci_dss.shtml

In addition to the points everyone else has made, SSL is an established standard and every Web browser has built-in support for that standard. 除了其他人提出的要点之外，SSL是一个既定的标准，每个Web浏览器都内置了对该标准的支持。 The browser GUI changes in some way to let me know that I'm using a secure connection and I can inspect the certificate details if I want to. 浏览器GUI以某种方式更改，让我知道我正在使用安全连接，如果需要，我可以检查证书详细信息。

Browsers don't have any support for whatever home-grown scheme you come up with. 浏览器对您提出的任何本土计划都没有任何支持。

The PCI DSS standards are now a requirement so you even if you could do this with JS (which as has been extensively discussed on this page - you can't) then you still wouldn't get PCI approval so you wouldn't be allowed to use it. PCI DSS标准现在是一项要求，所以即使你可以用JS做这个（你已经在本页已经广泛讨论了 - 你做不到），那么你仍然不会获得PCI批准，所以你不会被允许使用它。

If you absolutely want to avoid buying an SSL certificate then look into your payment providers service. 如果您绝对不想购买SSL证书，请查看您的支付提供商服务。 Most of them provide a third party hosted solution such as Paypal, SagePay, etc where you are passed out from your site over to the providers website to take the credit card details and then passed back. 他们中的大多数提供第三方托管解决方案，如Paypal，SagePay等，您从您的网站传递到提供商网站，以获取信用卡详细信息，然后传回。

This removes the burden from you to a) be compliant and b) buy an ssl cert. 这减轻了您的负担a）符合要求并且b）购买ssl证书。

No, because you're still susceptible to a man-in-the-middle attack. 不，因为你仍然容易受到中间人攻击。

But you can use it to lower your PCI compliance requirement considerably, because if you encrypt credit card numbers with a public key to which you don't have the private key, then you shift the burden of compliance. 但您可以使用它来大大降低PCI合规性要求，因为如果使用没有私钥的公钥加密信用卡号，那么您就会转移合规性负担。

This is encouraged even by the payment processors. 甚至付款处理器也鼓励这样做。 See for instance Braintree's write-up on client-side encryption . 例如，请参阅Braintree关于客户端加密的文章。

Absolutely NO 绝对没有

If you want to take credit card payments and you don't want to do it yourself properly, there are service organizations that specialize in exactly this. 如果您想要信用卡付款并且您不想自己正确地进行，那么有一些服务组织专门针对这一点。

Here's a few: 这里有几个：

2CheckOut, Affero, BTClick&Buy, CCAvenue, CCBill, CCNow, ClickBank, DigiBuy, DigitalCandle, FastPay, iBill, iKobo, ImagineNation, InstaBill, Jettis, Kagi, MembershipPlus, Moneybookers, MultiCards, MyPaySystems, NoChex, PartyKey, Pay-Line, Paymate, Process54, ProPay, Reg.Net, RegNow, RegSoft, Share*It, StormPay, SWREG, V-Share, Verotel, VolPay, Yahoo! 2CheckOut，Affero，BTClick＆Buy，CCAvenue，CCBill，CCNow，ClickBank，DigiBuy，DigitalCandle，FastPay，iBill，iKobo，ImagineNation，InstaBill，Jettis，Kagi，MembershipPlus，Moneybookers，MultiCards，MyPaySystems，NoChex，PartyKey，Pay-Line，Paymate， Process54，ProPay，Reg.Net，RegNow，RegSoft，Share * It，StormPay，SWREG，V-Share，Verotel，VolPay，Yahoo！ PayDirect. PayDirect。

Here's a more complete list 这是一个更完整的列表

Give them a call! 给他们打个电话！

And of course there's always PayPal 当然，总有PayPal